@Rhidian Used makeresults to create sample events. To apply this logic permanently to your oracle:audit:unified sourcetype in Splunk, you’ll need to configure props.conf and transforms.conf...
See more...
@Rhidian Used makeresults to create sample events. To apply this logic permanently to your oracle:audit:unified sourcetype in Splunk, you’ll need to configure props.conf and transforms.conf to clean the SQL_TEXT field during ingestion. This ensures the spurious text (e.g., 4,,1,,,,,,) is stripped out before the data is indexed, so all your searches will see the cleaned version. In props.conf, you’ll associate the oracle:audit:unified sourcetype with a transform that cleans the SQL_TEXT field. Location: Typically $SPLUNK_HOME/etc/system/local/props.conf or an app-specific directory like $SPLUNK_HOME/etc/apps/<your_app>/local/props.conf. props.conf [oracle:audit:unified] SHOULD_LINEMERGE = false TRUNCATE = 10000 TRANSFORMS-clean_sql = clean_sql_text transforms.conf [clean_sql_text] SOURCE_KEY = SQL_TEXT REGEX = ^([^,]+) FORMAT = SQL_TEXT::$1 DEST_KEY = SQL_TEXT